This e-mail indeed passed through the tool labs mailserver. In principle, this is OK (we are supposed to forward mails to gifti@tools.wmflabs.org to you), but we should obviously not accept mails 'from: <something>@tools.wmflabs.org' from a third party. Apparently we don't check SPF records ourselves...? :/

see https://github.com/Exim/exim/wiki/SPF and /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt

It's not as clearcut as that - you'd expect people receiving email to their *@tools.wmflabs.org addresses to be able to reply with that same address as From:; so it's not immediately clear that such emails should "obviously" not be accepted.

Email headers are not authenticated and cannot be; the best one can do is attempt to reduce obvious outliers and minimize spam and phishing and while using SPF to score spam is good, using it to reject email entirely is rarely a very good idea (as yahoo demonstrates with its horrid false positive rejections).

I think people using tools.wmflabs.org as their domain for outgoing mails should use the proper mail server (which is tricky, but doable if you really want to), so I don't have any problem with publishing (hard) SPF records for tools.wmflabs.org.

But for incoming mails the situation is made worse by us currently forwarding mails without address rewriting, i. e. a mail from someone@somewhere to scfc@tools.wmflabs.org causes the Tools mail server to claim to my mail server that it is the legitimate sender for somewhere. So as long as we are not conservative in sending mails out, we should be liberal in accepting mails, not least so that we don't shoot ourselves in the foot :-).

you'd expect people receiving email to their *@tools.wmflabs.org addresses to be able to reply with that same address as From

that doesn't work, actually, because we publish an SPF record:

• from: valhallasw@gmail.com to marc@tools.wmflabs.org via smtp.gmail.com works (smtp.gmail.com is allowed to send mails from gmail.com)
• from: valhallasw@tools.wmflabs.org to marc@tools.wmflabs.org via smtp.gmail.com works (tools.wmflabs.org doesn't check SPF, so accepts smtp.gmail.com as source)
• from: valhallasw@tools.wmflabs.org to marc@otherdomain.org via smtp.gmail.com fails (smtp.gmail.com is not allowed to send mails from tools.wmflabs.org)
• from: valhallasw@tools.wmflabs.org to marc@otherdomain.org via mail.tools.wmflabs.org fails (relay denied)

while using SPF to score spam is good, using it to reject email entirely is rarely a very good idea (as yahoo demonstrates with its horrid false positive rejections).

Iirc the issues with Yahoo are related to DMARC, not to SPF. We should add an envelope-from to our emails, though: T120225: Toolforge: correctly envelope forwarded email

SPF checks/filtering can take some tuning, for a few reasons...

• A SPF pass is essentially meaningless as anyone can register a domain and set a valid SPF record.
• SPF "failure" can have multiple degrees set by the domain owner, which means...
• SPF is often not going to be enough to trust or reject mail outright, but..
• We could add different spam scores to messages depending on the type of failure.

What I think makes sense in this use case is:

1. Roll out spamassassin to tools mail. We should be able to reuse the spamassassin puppet module and borrow config snippets from the mx exim template to get started (modules/role/templates/exim/exim4.conf.mx.erb)
2. Log spam scores at first, then after some analysis start rejecting “high” spam scores (we drop spam-score >12 at the prod MXes, but maybe tools mail wants to be more aggressive)
3. Set SPF hard failures (-all) to add a spamassassin spam score greater than that required to reject the mail outright during the smtp session

Step 1 would accomplish the task of "checking spf before forwarding" by itself, and steps 2-3 would go further towards better filtering of spam generally and preventing (ab)users from forging tools.wmflabs.org envelope from addresses (as tools.wmflabs.org has a hard fail SPF policy already).

Change 608005 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] toolforge: mailrelay: introduce spam filtering with spamassassin

https://gerrit.wikimedia.org/r/608005

Mentioned in SAL (#wikimedia-cloud) [2020-06-26T12:12:32Z] <arturo> puppetmaster live-hacking with https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/608005 (T120210)

I tested the new spam filter using GTUBE: https://spamassassin.apache.org/gtube/

Basically, sending an email with the mentioned string in the body: XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34@ (replace trailing @ with X).

A message with that string scores high spam value and is therefore rejected:

==> /var/log/exim4/rejectlog <==
2020-06-29 11:55:25 1jpsNh-0006AJ-BT H=mail-wr1-f54.google.com [209.85.221.54] X=TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=no F=<arturo.borrero.glez@gmail.com> rejected after DATA: This message scored 1000.0 spam points.

Change 608005 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] toolforge: mailrelay: introduce spam filtering with spamassassin

https://gerrit.wikimedia.org/r/c/operations/puppet/ /608005

Mentioned in SAL (#wikimedia-cloud) [2020-06-29T12:01:47Z] <arturo> introduced spam filter in the mail server (T120210)

In T120210#6270976, @aborrero wrote:

Instead, I suggest we leave this as is currently configured: marking SPF failures as possible spam messages. It is a significant improvement to what we had before anyways.
And in the future, if we get more reports related to this, we can review the setup again.

Sounds reasonable to me! One additional action I'd suggest is reviewing the spamd logs in a months time to see how many mails are being flagged with SPF_FAIL, and review/tune based on that.